NCSC-UK — "10 questions to ask when using AI models to find vulnerabilities"

NCSC-UK published an operational 10-question checklist on 2026-05-11 (authored by Ruth C, Head of Vulnerability Management Group) for organisations evaluating or deploying AI / LLM tooling for vulnerability discovery (NCSC-UK blog, 2026-05-11). The guidance is substantively different from the previously-covered NCSC-CH BACS strategic assessment: it is process- and infrastructure-flavoured rather than landscape-flavoured. The ten questions interrogate (a) process prerequisites — is there a triage / remediation pipeline that can absorb what the AI surfaces, or will the backlog simply grow while team capacity stays flat; (b) data governance — what code, infrastructure and secrets is the model being given access to; (c) infrastructure security — is the AI agent sandboxed from production; (d) permissions blast-radius — has the model been granted excessive permissions that magnify attacker reach if the agent itself is compromised; (e) legal / data-retention; (f) false-positive overhead on the blue team. The piece explicitly warns that AI-accelerated vulnerability discovery without matching remediation capacity makes the organisation worse off, not better — a direct critique of "buy the AI tool" patterns. [SINGLE-SOURCE]